Employee Data Transfers to U.S. - U.S. Intelligence Surveillance Threatens to Kill off Safe Harbor Scheme
An opinion of the European Court Advocate General means that transfer of E.U. employee’s personal data to the U.S. under the Safe Harbor Scheme may soon be unlawful.
The E.U. Data Protection Directive provides protection for the transfer, processing and storage of employees’ personal data within the E.U. Each member state has been required to implement these protections into national law. Businesses located within the E.U. wishing to transfer personal data to an outside country – as is often the case for E.U. based subsidiaries of U.S. parent companies – may not do so unless that country’s laws offer equivalent protection to that provided by E.U. law.
While the U.S. does not have equivalent data protection laws it does have a voluntary system called the Safe Harbor Scheme. This is a code of practice to which U.S. businesses may subscribe. In 2000 the E.U. Commission agreed that the Safe Harbor Scheme offered equivalent protections to E.U. law. This meant that E.U. based companies could transfer data to the U.S. provided that the U.S. based organisation processing it had signed up to the Safe Harbor Scheme.
Serious doubt has now been cast on the continuing validity of the Safe Harbor Scheme by an opinion of the Advocate General of the Court of Justice in the E.U. (“European Court”). If the opinion is confirmed by the full European Court, E.U. based companies could no longer be able to lawfully transfer personal data for processing or storage in the U.S.
What has Happened?
An employee of a Facebook E.U. subsidiary brought a case arguing that the widespread surveillance by the U.S. intelligence services of individuals’ data, as widely reported in the global press, and the lack of any U.S. judicial control of that surveillance meant that his personal data was no longer adequately safeguarded under the Safe Harbor Scheme if transferred to the U.S.
Safe Harbor Deemed Invalid for Protection of Data Rights
The Advocate General of the European Court agreed and stated :
- The unrestricted access enjoyed by the United States intelligence services to data transferred to the U.S. and stored there and the absence of any system of judicial control over that constitutes an interference with the E.U. fundamental rights to respect for private life and protection of personal data;
- As a result the U.S. Safe Harbor scheme no longer provides adequate protection for these fundamental rights and reliance on it is contrary to E.U. law.
What Does this Mean for Companies Transferring Data to the U.S.?
The European Court will now need to reach a final judgment on this matter. However, it is rare that it disagrees with an opinion from its Advocate General. If the court’s final judgment does follow his opinion then an E.U. based business that transfers employees’ personal data to the U.S. relying on the Safe Harbor Scheme will be acting unlawfully. In the U.K., the Information Commissioner (ICO) (the regulator for data protection issues) would have the power to impose significant fines for infringement of data protection rights. Other sanctions would apply in other E.U. states.
What Should My Business Do?
This is a very important development. While we await final judgement from the European Court, if your business is using the Safe Harbor Scheme you should consider now how you would respond if the court follows the Advocate General’s opinion.
There are a number of other alternatives to using the Safe Harbor Scheme.
The most common alternative to the Safe Harbour Scheme in the U.K., as elsewhere in the E.U., is for companies to adopt model agreements as provided by the Data Protection Directive. The agreements contain clauses which are approved by the E.U. Commission and, in the U.K by the ICO, as adequate protection. The model agreements offer U.K. companies transferring and storing data to the U.S. a solution sanctioned by the U.K. regulator. However, it is now unclear whether these agreements will fully protect the companies from liability for transfers outside the E.U. as they do not address the concern around employee data being subject to surveillance in the U.S. while at the same time requiring the data exporter to confirm that the relevant security measures are adequate.
New law is currently being debated in the U.S. legislature that could provide sufficient judicial safeguards over information surveillance to address the Advocate General’s concerns. However, unless and until that becomes law, the position of E.U. based companies transferring data to the U.S. remains uncertain and needs to be carefully watched. To date no updated guidance has been published by the ICO in relation to this matter.
We will report further on the issue when the European Court’s final judgment is given which is expected in October 2015.
Call us to discuss your options in minimising your risks when transferring data to the U.S. on +44(0)203 051 5711 or at firstname.lastname@example.org.
6 October 2015 : The Court of Justice in the European Community (CJEU) has just upheld the Advocate General's opinion in the case brought by Max Schrems and finds that the decision by the European Commission that the U.S. Safe Harbor scheme offers adequate protection of employees' personal data is no longer valid. This has major implications for E.U. based companies transferring data to the U.S. More information to follow shortly.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.